Scheduler-Specific Confidentiality for Multi-threaded Programs and Its Logic-Based Verification

  • Marieke Huisman
  • Tri Minh Ngo
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7421)


Observational determinism has been proposed in the literature as a way to ensure confidentiality for multi-threaded programs. Intuitively, a program is observationally deterministic if the behavior of the public variables is deterministic, i.e., independent of the private variables and the scheduling policy. Several formal definitions of observational determinism exist, but all of them have shortcomings; for example they accept insecure programs or they reject too many innocuous programs. Besides, the role of schedulers was ignored in all the proposed definitions. A program that is secure under one kind of scheduler might not be secure when executed with a different scheduler. The existing definitions do not always ensure that an accepted program behaves securely under the scheduler that is used to execute the program.

Therefore, this paper proposes a new formalization of scheduler-specific observational determinism. It accepts programs that are secure when executed under a specific scheduler. Moreover, it is less restrictive on harmless programs under a particular scheduling policy. We discuss the properties of our definition and argue why it better approximates the intuitive understanding of observational determinism. In addition, we also discuss how compliance with our definition can be verified, using model-checking.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barthe, G., D’Argenio, P., Rezk, T.: Secure information flow by self-composition. In: Foccardi, R. (ed.) Computer Security Foundations Workshop, pp. 100–114. IEEE Press (2004)Google Scholar
  2. 2.
    Barthe, G., Prensa Nieto, L.: Formally verifying information flow type systems for concurrent and thread systems. In: Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering, FMSE 2004, pp. 13–22. ACM (2004)Google Scholar
  3. 3.
    Darvas, Á., Hähnle, R., Sands, D.: A Theorem Proving Approach to Analysis of Secure Information Flow. In: Hutter, D., Ullmann, M. (eds.) SPC 2005. LNCS, vol. 3450, pp. 193–209. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Huisman, M., Blondeel, H.-C.: Model-Checking Secure Information Flow for Multi-threaded Programs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 148–165. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  5. 5.
    Huisman, M., Ngo, T.M.: Scheduler-specific confidentiality for multi-threaded programs and its logic-based verification. Technical Report TR-CTIT-11-22, CTIT, University of Twente, Netherlands (2011)Google Scholar
  6. 6.
    Huisman, M., Worah, P., Sunesen, K.: A temporal logic characterization of observation determinism. In: Computer Security Foundations Workshop. IEEE Computer Society (2006)Google Scholar
  7. 7.
    Huth, M., Ryan, M.: Logic in computer science: modeling and reasoning about the system, 2nd edn. Cambridge University Press (2004)Google Scholar
  8. 8.
    Parma, A., Segala, R.: Logical Characterizations of Bisimulations for Discrete Probabilistic Systems. In: Seidl, H. (ed.) FOSSACS 2007. LNCS, vol. 4423, pp. 287–301. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Peled, D., Wilke, T.: Stutter-invariant temporal properties are expressible without the next-time operator. Inf. Processing Letters 63, 243–246 (1997)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Roscoe, A.W.: Csp and determinism in security modeling. In: IEEE Symposium on Security and Privacy, p. 114. IEEE Computer Society (1995)Google Scholar
  11. 11.
    Russo, A., Sabelfeld, A.: Security interaction between threads and the scheduler. In: Computer Security Foundations Symposium, pp. 177–189 (2006)Google Scholar
  12. 12.
    Sabelfeld, A., Myers, A.: Language-based information flow security. IEEE Journal on Selected Areas in Communications 21, 5–19 (2003)CrossRefGoogle Scholar
  13. 13.
    Terauchi, T.: A type system for observational determinism. In: Computer Science Foundations (2008)Google Scholar
  14. 14.
    Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Computer Security Foundations Workshop, pp. 29–43. IEEE Press (June 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Marieke Huisman
    • 1
  • Tri Minh Ngo
    • 1
  1. 1.University of TwenteNetherlands

Personalised recommendations